LSASS Access From Program in Potentially Suspicious Folder

calendarMay 9, 2023 · attack.credential_access attack.t1003.001 attack.s0002  ·
Share on: linkedincopy

Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder

Sigma rule (View on GitHub)

  1title: LSASS Access From Program in Potentially Suspicious Folder
  2id: fa34b441-961a-42fa-a100-ecc28c886725
  3status: experimental
  4description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
  5references:
  6    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
  7    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
  8    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
  9    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 10    - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 11author: Florian Roth (Nextron Systems)
 12date: 2021/11/27
 13modified: 2023/05/05
 14tags:
 15    - attack.credential_access
 16    - attack.t1003.001
 17    - attack.s0002
 18logsource:
 19    category: process_access
 20    product: windows
 21detection:
 22    selection:
 23        TargetImage|endswith: '\lsass.exe'
 24        GrantedAccess|endswith:
 25            - '10'
 26            - '30'
 27            - '50'
 28            - '70'
 29            - '90'
 30            - 'B0'
 31            - 'D0'
 32            - 'F0'
 33            - '18'
 34            - '38'
 35            - '58'
 36            - '78'
 37            - '98'
 38            - 'B8'
 39            - 'D8'
 40            - 'F8'
 41            - '1A'
 42            - '3A'
 43            - '5A'
 44            - '7A'
 45            - '9A'
 46            - 'BA'
 47            - 'DA'
 48            - 'FA'
 49            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
 50            - 'FF'
 51        SourceImage|contains:
 52            - '\Temp\'
 53            - '\Users\Public\'
 54            - '\PerfLogs\'
 55            - '\AppData\'
 56            - '\Temporary'
 57    filter_optional_generic_appdata:
 58        SourceImage|startswith: 'C:\Users\'
 59        SourceImage|contains: '\AppData\Local\'
 60        SourceImage|endswith:
 61            - '\Microsoft VS Code\Code.exe'
 62            - '\software_reporter_tool.exe'
 63            - '\DropboxUpdate.exe'
 64            - '\MBAMInstallerService.exe'
 65            - '\WebexMTA.exe'
 66            - '\WebEx\WebexHost.exe'
 67            - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe'
 68        GrantedAccess: '0x410'
 69    filter_optional_dropbox_1:
 70        SourceImage|startswith: 'C:\Windows\Temp\'
 71        SourceImage|endswith: '.tmp\DropboxUpdate.exe'
 72        GrantedAccess:
 73            - '0x410'
 74            - '0x1410'
 75    filter_optional_dropbox_2:
 76        SourceImage|startswith: 'C:\Users\'
 77        SourceImage|contains: '\AppData\Local\Temp\'
 78        SourceImage|endswith: '.tmp\DropboxUpdate.exe'
 79        GrantedAccess: '0x1410'
 80    filter_optional_dropbox_3:
 81        SourceImage|startswith:
 82            - 'C:\Program Files (x86)\Dropbox\'
 83            - 'C:\Program Files\Dropbox\'
 84        SourceImage|endswith: '\DropboxUpdate.exe'
 85        GrantedAccess: '0x1410'
 86    filter_optional_nextron:
 87        SourceImage|startswith:
 88            - 'C:\Windows\Temp\asgard2-agent\'
 89            - 'C:\Windows\Temp\asgard2-agent-sc\'
 90        SourceImage|endswith:
 91            - '\thor64.exe'
 92            - '\thor.exe'
 93            - '\aurora-agent-64.exe'
 94            - '\aurora-agent.exe'
 95        GrantedAccess:
 96            - '0x1fffff'
 97            - '0x1010'
 98            - '0x101010'
 99    filter_optional_ms_products:
100        SourceImage|startswith: 'C:\Users\'
101        SourceImage|contains|all:
102            - '\AppData\Local\Temp\'
103            - '\vs_bootstrapper_'
104        GrantedAccess: '0x1410'
105    filter_optional_chrome_update:
106        SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\'
107        SourceImage|endswith: '.tmp\GoogleUpdate.exe'
108        GrantedAccess:
109            - '0x410'
110            - '0x1410'
111    filter_optional_keybase:
112        SourceImage|startswith: 'C:\Users\'
113        SourceImage|endswith: \AppData\Local\Keybase\keybase.exe
114        GrantedAccess: '0x1fffff'
115    filter_optional_avira:
116        SourceImage|contains: '\AppData\Local\Temp\is-'
117        SourceImage|endswith: '.tmp\avira_system_speedup.tmp'
118        GrantedAccess: '0x1410'
119    filter_optional_viberpc_updater:
120        SourceImage|startswith: 'C:\Users\'
121        SourceImage|contains: '\AppData\Roaming\ViberPC\'
122        SourceImage|endswith: '\updater.exe'
123        TargetImage|endswith: '\winlogon.exe'
124        GrantedAccess: '0x1fffff'
125    filter_optional_adobe_arm_helper:
126        SourceImage|startswith:  # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
127            - 'C:\Program Files\Common Files\Adobe\ARM\'
128            - 'C:\Program Files (x86)\Common Files\Adobe\ARM\'
129        SourceImage|endswith: '\AdobeARMHelper.exe'
130        GrantedAccess: '0x1410'
131    condition: selection and not 1 of filter_optional_*
132fields:
133    - User
134    - SourceImage
135    - GrantedAccess
136falsepositives:
137    - Updaters and installers are typical false positives. Apply custom filters depending on your environment
138level: medium

Related rules

to-top